Despite Internet Explorer reaching the end of life in 2022, MSHTA is packaged by default on Windows systems and is used as a living-off-the-land (LOLBIN) binary to launch malware.
“Even when companies retire legacy products, parts of their ecosystem can persist in Windows for years to support older workflows and enterprise compatibility requirements,” the researchers explained in a blog post. “Threat actors frequently abuse trusted, preinstalled Windows binaries to execute malicious content while relying on software already present on the system.”
Microsoft did not immediately comment on the issue.
Bitdefender researchers observed MSHTA appearing across infection chains associated with commodity stealers such as LummaStealer and Amatera, multi-stage loaders like CountLoader and Emmenhtal Loader, banking trojans including ClipBanker, and even the long-running PurpleFox malware family.
